Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Shorewall + weave = issues #3751

Open
koying opened this issue Dec 24, 2019 · 2 comments
Open

Shorewall + weave = issues #3751

koying opened this issue Dec 24, 2019 · 2 comments

Comments

@koying
Copy link

koying commented Dec 24, 2019

There are some issues using weave on k8s together with shorewall.
I understand my setup is a playground, and the k8s shouldn't be installed on a bare metal with a firewall, so this is for reference in case someone else stumble on those issues, really.

  1. if the "iface" extension is installed on the node, shorewall uses it, but the weave pod doesn have it, resulting in Can't find library for match 'iface'
  2. weave does a iptables -A INPUT -i weave -j WEAVE-NPC-EGRESS, resulting in the rule ending up after the reject from shorewall, ie
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    KUBE-FIREWALL  all  --  anywhere             anywhere
2    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
3    KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
[zone related rules]
12   ACCEPT     all  --  anywhere             anywhere
13   Reject     all  --  anywhere             anywhere
14   LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:REJECT:"
15   reject     all  --  anywhere             anywhere            [goto]
16   WEAVE-NPC-EGRESS  all  --  anywhere             anywhere

Solutions:

  1. I ended up removing the extension from my system. Shorewall seems fine without it.
  2. I manually add a iptables -I INPUT 4 -i weave -j WEAVE-NPC-EGRESS to duplicate the rule before the reject
@bboreham
Copy link
Contributor

I'm not sure what to do with this. Generally where two or more pieces of software are trying to manipulate the same iptables chains they run into trouble.

If there is an API for shorewall this could be a feature request to use that API. Or perhaps shorewall defines chains which can be used to add rules without fighting.

#3586 is related

And I didn't follow your point 1 about "iface" at all. What is it an extension to?

@koying
Copy link
Author

koying commented Feb 13, 2020

And I didn't follow your point 1 about "iface" at all. What is it an extension to?

It's xt_iface.ko from xtables-addons

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@koying @bboreham